RSS Submit

User login

Subscribe to our mailing list

Fail2ban Data Sharing

Update: I've started a project site here : https://sourceforge.net/apps/mediawiki/f2bshare/index.php?title=Main_Page

We've recently had several phone systems that have been under heavy attack.  We're using fail2ban but that doesn't seem very proactive to me.  I've been using denyhosts (http://denyhosts.sf.net) on our systems for a few years and I've been really happy how the number of ssh login attempts drops off after installing that.  However, I've been unable to find anything similar for Fail2ban and Asterisk doesn't use hosts.deny so they don't work together.  

I decided that it really wouldn't be too difficult to put together a solution that would allow me to preemptively block attackers.  Hackers can attack one of the pbxs I manage but the others will know you're coming and will lock the ip address first.  I've written a small server that sits on one of my web sites and manages the list.  At present the program requires a username and password to access.  I'm not sure what I'll end up doing with that but if you want to start using it just drop me an email for credentials.

I've prepopulated the database with information from the VoIP Abuse Project (http://www.infiltrated.net/voipabuse/) and I'm feeding a couple of my servers into it also.  Currently the server does not expire bans but I plan on adding that a little later.  At present I have no need to open up access to systems once I've banned them.  The server also has rules so that if you feed it ip addresses that are in a private subnet such as 192.168.2.2 it will not log those as they are not unique.

Bans can be revoked locally in fail2ban.  I intend to have a web interface for this someday.  That's part of the reason for the username and password requirements.  For now you can revoke submissions that you made using HTTP GET.  Here's a sample: wget http://fail2ban.aleph-com.net/cgi-bin/report.cgi?username=USER&password=...

If you're interested in using this submit your information here: http://fail2ban.aleph-com.net/f2bsharing_account

Here's the setup information for fail2ban-share.

Replace "USER" and "PASS" with your username and password.

  1. Add to cron.  This sample shows once every hour.  I would appreciate if you would randomize the time to keep the load on my systems spread out.

    2. 1 * * * * wget -O /var/log/fail2ban-share.log "http://fail2ban.aleph-com.net/cgi-bin/report.cgi?username=USER&password=PASS&mode=LIST" >/dev/null 2>&1

  2. Contents of /etc/fail2ban/action.d/fail2ban-share.conf

    3. # Fail2Ban configuration file
    #
    # Author: Darren Wiebe
    #

    [Definition]

    # Option:  actionstart
    # Notes.:  command executed once at the start of Fail2Ban.
    # Values:  CMD
    #
    actionstart =

    # Option:  actionstop
    # Notes.:  command executed once at the end of Fail2Ban
    # Values:  CMD
    #
    actionstop =

    # Option:  actioncheck
    # Notes.:  command executed once before each actionban command
    # Values:  CMD
    #
    actioncheck =

    # Option:  actionban
    # Notes.:  command executed when banning an IP. Take care that the
    #          command is executed with Fail2Ban user rights.
    # Tags:    <ip>  IP address
    #          <failures>  number of failures
    #          <time>  unix timestamp of the ban time
    # Values:  CMD
    #
    actionban = wget --delete-after "http://<f2b_share_host>/cgi-bin/report.cgi?username=<username>&password=<password>&address=<ip>&mode=SUBMIT"

    # Option:  actionunban
    # Notes.:  command executed when unbanning an IP. Take care that the
    #          command is executed with Fail2Ban user rights.
    # Tags:    <ip>  IP address
    #          <failures>  number of failures
    #          <time>  unix timestamp of the ban time
    # Values:  CMD
    #
    actionunban =

    [Init]

    f2b_share_host = fail2ban.aleph-com.net
    username = USER
    password = PASS

  3. Now you need to decide which results you want to push to fail2ban-share.  In the following example from my /etc/fail2ban/jail.conf I'm pushing Asterisk registry failures to the cloud.  I'm also monitoring the downloaded file and firewalling out any systems that are banned.

    4. [asterisk-iptables]
    enabled  = true
    filter   = asterisk
    action   = iptables-allports[name=ASTERISK, protocol=all]
               sendmail-whois[name=ASTERISK, dest=root@pbx, sender=fail2ban@pbx]
               fail2ban-share[name=ASTERISK]
    logpath  = /var/log/asterisk/messages
    maxretry = 3
    bantime = 86400

    [fail2ban-share-iptables]
    enabled  = true
    filter   = fail2ban-share
    action   = iptables-allports[name=FAIL2BAN-SHARE, protocol=all]
    logpath  = /var/log/fail2ban-share.log
    maxretry = 0
    bantime = 86400

  4. Here are the contents of /etc/fail2ban/filter.d/fail2ban-share.conf.  This file reads the fail2ban-share.log file and updates the blocked list accordingly.

    5. # Fail2Ban configuration file

    [INCLUDES]

    # Read common prefixes. If any customizations available -- read them from
    # common.local

    #before = common.conf

    [Definition]

    #_daemon = fail2ban-share
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named 'host'. The tag '<HOST>' can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values:  TEXT
    #

    failregex = <HOST>

    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT

    ignoreregex =

 

Copyright 2010 Aleph Communications